From 3f36a01a5a4ac279706e49edba340977a95685e0 Mon Sep 17 00:00:00 2001
From: fi <fiona@grzb.de>
Date: Wed, 20 Nov 2024 05:46:40 +0100
Subject: [PATCH] Rename nixos-coturn to coturn and finish config

---
 hosts.nix                                     |  2 +-
 hosts/coturn/acme.nix                         | 10 +++++++++
 hosts/coturn/configuration.nix                | 22 +++++++++++++++++++
 hosts/{nixos-coturn => coturn}/coturn.nix     | 12 +++++-----
 hosts/{nixos-coturn => coturn}/default.nix    |  1 +
 hosts/{nixos-coturn => coturn}/secrets.nix    |  0
 hosts/nixos-coturn/configuration.nix          | 14 ------------
 .../virtualHosts/acme-challenge.nix           |  9 ++++++++
 8 files changed, 49 insertions(+), 21 deletions(-)
 create mode 100644 hosts/coturn/acme.nix
 create mode 100644 hosts/coturn/configuration.nix
 rename hosts/{nixos-coturn => coturn}/coturn.nix (82%)
 rename hosts/{nixos-coturn => coturn}/default.nix (82%)
 rename hosts/{nixos-coturn => coturn}/secrets.nix (100%)
 delete mode 100644 hosts/nixos-coturn/configuration.nix

diff --git a/hosts.nix b/hosts.nix
index cb5887a..ff6d3f3 100644
--- a/hosts.nix
+++ b/hosts.nix
@@ -51,7 +51,7 @@ in
       hostNixpkgs = nixpkgs-unstable;
       site = "vs";
     };
-    nixos-coturn = {
+    coturn = {
       site = "vs";
     };
     tor-relay = {
diff --git a/hosts/coturn/acme.nix b/hosts/coturn/acme.nix
new file mode 100644
index 0000000..69fe89d
--- /dev/null
+++ b/hosts/coturn/acme.nix
@@ -0,0 +1,10 @@
+{ ... }:
+{
+  security.acme.certs = {
+    "turn.nekover.se" = {
+      listenHTTP = ":80";
+      group = "turnserver";
+      reloadServices = [ "coturn.service" ];
+    };
+  };
+}
diff --git a/hosts/coturn/configuration.nix b/hosts/coturn/configuration.nix
new file mode 100644
index 0000000..cb59fb9
--- /dev/null
+++ b/hosts/coturn/configuration.nix
@@ -0,0 +1,22 @@
+{ config, ... }:
+{
+  boot.loader.grub = {
+    enable = true;
+    device = "/dev/vda";
+  };
+
+  networking = {
+    hostName = "coturn";
+    firewall = {
+      enable = true;
+      allowedTCPPorts = [ 80 3478 5349 ];
+      allowedUDPPorts = [ 3478 5349 ];
+      allowedUDPPortRanges = [{
+        from = config.services.coturn.min-port;
+        to = config.services.coturn.max-port;
+      }];
+    };
+  };
+
+  system.stateVersion = "23.05";
+}
diff --git a/hosts/nixos-coturn/coturn.nix b/hosts/coturn/coturn.nix
similarity index 82%
rename from hosts/nixos-coturn/coturn.nix
rename to hosts/coturn/coturn.nix
index c85dcba..719c872 100644
--- a/hosts/nixos-coturn/coturn.nix
+++ b/hosts/coturn/coturn.nix
@@ -1,17 +1,17 @@
-{ ... }:
+{ config, ... }:
 {
   services.coturn = {
     enable = true;
-
     min-port = 49200;
     max-port = 49500;
     use-auth-secret = true;
     static-auth-secret-file = "/secrets/static-auth-secret.secret";
     realm = "turn.nekover.se";
-    cert = "/certs/turn.nekover.se/fullchain.pem";
-    pkey = "/certs/turn.nekover.se/key.pem";
+    cert = "${config.security.acme.certs."turn.nekover.se".directory}/fullchain.pem";
+    pkey = "${config.security.acme.certs."turn.nekover.se".directory}/key.pem";
     no-tcp-relay = true;
-    extraConfig = "
+    no-cli = true;
+    extraConfig = ''
       external-ip=170.133.2.81/10.202.41.118
       prometheus
       syslog
@@ -40,6 +40,6 @@
 
       user-quota=12
       total-quota=1200
-      ";
+    '';
   };
 }
diff --git a/hosts/nixos-coturn/default.nix b/hosts/coturn/default.nix
similarity index 82%
rename from hosts/nixos-coturn/default.nix
rename to hosts/coturn/default.nix
index 1036572..bc32a3d 100644
--- a/hosts/nixos-coturn/default.nix
+++ b/hosts/coturn/default.nix
@@ -2,6 +2,7 @@
 {
   imports = [
     ./configuration.nix
+    ./acme.nix
     ./coturn.nix
   ];
 }
diff --git a/hosts/nixos-coturn/secrets.nix b/hosts/coturn/secrets.nix
similarity index 100%
rename from hosts/nixos-coturn/secrets.nix
rename to hosts/coturn/secrets.nix
diff --git a/hosts/nixos-coturn/configuration.nix b/hosts/nixos-coturn/configuration.nix
deleted file mode 100644
index 094f157..0000000
--- a/hosts/nixos-coturn/configuration.nix
+++ /dev/null
@@ -1,14 +0,0 @@
-{ ... }:
-{
-  boot.loader.grub = {
-    enable = true;
-    device = "/dev/vda";
-  };
-
-  networking = {
-    hostName = "coturn";
-    firewall.enable = false;
-  };
-
-  system.stateVersion = "23.05";
-}
diff --git a/hosts/web-public-2/virtualHosts/acme-challenge.nix b/hosts/web-public-2/virtualHosts/acme-challenge.nix
index 82540d8..6ec8d36 100644
--- a/hosts/web-public-2/virtualHosts/acme-challenge.nix
+++ b/hosts/web-public-2/virtualHosts/acme-challenge.nix
@@ -27,4 +27,13 @@
       proxyPass = "http://metrics.vs.grzb.de:80";
     };
   };
+  services.nginx.virtualHosts."turn.nekover.se" = {
+    listen = [{ 
+      addr = "0.0.0.0";
+      port = 80;
+    }];
+    locations."^~ /.well-known/acme-challenge/" = {
+      proxyPass = "http://coturn.vs.grzb.de:80";
+    };
+  };
 }